How One Token Could Have Compromised Every Microsoft Entra ID Tenant on Earth, And Why It’s Time for Authorityless Security

Recently, security researcher Dirk-Jan Mollema disclosed CVE-2025–55241, a vulnerability so catastrophic that it reads like fiction: a single token, obtained from any test tenant, could have granted complete administrative control over every Microsoft Entra ID (Azure AD) tenant in the world. Every. Single. One.

Let that sink in. Your enterprise security, your government agency’s identity management, your startup’s entire cloud infrastructure, all of it could have been compromised by someone with a lab account and basic technical knowledge.

This isn’t just another vulnerability. It’s another smoking gun that proves our entire approach to cybersecurity is fundamentally broken.

Another God Mode Vulnerability in a Long Line of “Never Should Have Happened” Breaches

The short version for non-technical readers: An attacker could have become anyone in any Microsoft cloud tenant, accessed anything, and done it all completely undetected with what appeared to be legitimate access that bypassed all security controls. Think of it as finding a master key that opens every door in every building in the world, while also making you invisible to all security cameras.

The technical details: Microsoft’s backend uses something called “Actor tokens” for service-to-service communication. Due to a critical validation flaw, these tokens could be used across tenant boundaries, granting attackers the ability to read all user data, group memberships, application permissions, even BitLocker keys, completely undetected. When ready to strike, they could create new Global Admin accounts or take over existing identities. Read the full technical breakdown here.

The vulnerability existed because Microsoft’s architecture requires services to have god-like powers to function. They built a system where ultimate authority had to be trusted to someone, and that trust became the vulnerability.

“If We Can’t Trust Microsoft, Who Can We Trust?”

For decades, enterprises have justified their security decisions with a simple question: “If we can’t trust Microsoft, who can we trust?” It’s been the ultimate defense when things go wrong: at least you chose the industry standard.

This vulnerability, along with countless others across the industry, demolishes that logic. Microsoft joins a growing list of “trusted” vendors that suffered catastrophic breaches: Okta’s exposure of all customer support system users, Cisco’s hidden backdoor account exploited in attacks, BeyondTrust’s remote support SaaS compromise, and severe zero-trust flaws in Check Point, Zscaler, and Netskope. Each had the resources, expertise, and certifications. Each failed catastrophically. It’s inevitable.

What should really concern you is the invisibility of these flaws. Behind all the security promises and compliance badges, customers had no way of knowing these Actor tokens existed or carried such sweeping powers. You can’t audit what you can’t see, and you can’t secure what you must blindly trust.

The uncomfortable reality is that this is just the vulnerability that was discovered and disclosed responsibly. How many similar flaws are lurking in these vast codebases? How many have already been found by nation-state actors who are quietly exploiting them? When you have systems this complex, with this much centralized authority, vulnerabilities aren’t anomalies. They’re mathematical certainties.

The Ultimate Supply Chain Attack Vector

Large platforms like Microsoft aren’t just targets, they’re supply chain force multipliers. Compromise Microsoft, and you compromise everyone. This vulnerability proved that definitively.

Consider the exponential nature of the attack path discovered: starting from a single compromised tenant, an attacker could jump to every tenant that had guest users, then to every tenant those tenants had connections to. Within minutes, the majority of all Entra ID tenants worldwide could have been mapped and compromised.

Microsoft’s own tenant would likely be one of the first compromised (since Microsoft consultants are guests in countless customer tenants), and from there, every major service provider would be one step away. The entire global business infrastructure, falling like dominoes.

This isn’t a bug. It’s the natural consequence of building systems where ultimate authority must be blindly trusted to the system, and those that administer it.

Why “Authority” Is the Real Vulnerability

First, let’s define what we mean by “authority” in the digital world: it’s the power to grant access, approve actions, or enforce rules within a system. It’s what lets someone or something open the door to sensitive data, change configurations, or allow operations to run. Think of it as the master key to your digital kingdom.

The root cause of this Microsoft vulnerability wasn’t poor coding or lack of testing. It also isn’t correct to say that it’s the need to trust Microsoft. It’s more accurately what we’re trusting Microsoft with — Authority.

As long as someone or something holds it, it can be exploited. Today’s systems are built with someone, somewhere, having the ability to do anything. Maybe it’s an administrator, maybe it’s the vendor, maybe it’s a service account, maybe it’s a sub-system, but that ultimate power exists. And it doesn’t need to. Modern cryptographic techniques have made it possible to build systems where no single entity needs or has complete authority, where authority itself is distributed across multiple independent parties who must collaborate to act.

Traditional security, even “Zero Trust” security, doesn’t eliminate authority. It just moves it around. You stop trusting the network perimeter, but now you must blindly trust your Identity Provider. You implement defense in depth, but at the bottom of that depth sits an all-powerful system that, if compromised, renders every other defense meaningless.

The Actor token vulnerability perfectly illustrates this. It doesn’t matter how many security policies you had, how much you spent on monitoring, or how well-trained your security team was. When the Identity Provider itself is compromised at the most fundamental level, all of that becomes theater.

The Path to Authorityless Security

We need systems where inevitable breaches don’t have catastrophic consequences. We need architectures where authority doesn’t exist in any single place that can be compromised.

Imagine a world where:

• No single entity, not even the platform vendor, can access your sensitive data
• No administrator, no matter how privileged, can override the system without oversight
• No supply chain compromise can grant universal access
• No vulnerability, no matter how critical, can provide god-mode to attackers

This isn’t just better for security, it’s for a better ecosystem. Platform vendors can demonstrate they’re beyond reproach. Businesses can verify their security rather than hope for it. Users can trust systems because they don’t have to. Mistakes will be made, breaches will continue, but platforms will be cyber-immune to the consequences.

The technology to eliminate centralized authority already exists. Forward-thinking vendors are adopting it because they recognize the core architectural flaw, don’t want the liability, want to build fast and innovate without losing sleep over breaches, want to simplify compliance, and want customers to trust them because they no longer have to.

Consider how this alternative approach works: authority over user identities, administrative actions, and business data is distributed in the form a key who’s pieces live across a decentralized network. No single node, organization, or administrator ever holds complete power. When someone needs access to data:

1. Their identity is verified through distributed authentication where no single node knows their credentials
2. Authorization requires cryptographic consensus from multiple independent servers
3. Cryptographic keys needed to decrypt data or sign access tokens never exist in any one place, only their cryptographic actions manifest through the collaboration of multiple independent nodes
4. Even if an attacker compromises the IAM or multiple nodes holding key fragments, they cannot forge access or decrypt data

The crucial difference: there is no Actor token. There is no god mode. There is no single point of authority that, if compromised, hands over the kingdom.

In such a distributed system, the keys that could elevate privileges or forge tokens remain out of anyone’s reach. So even with a vulnerability similar to Microsoft’s, attackers still couldn’t access customer data, impersonate users, or grant themselves permissions. Mathematical guarantees ensure that authority remains distributed, even in the face of compromise.

The Uncomfortable Questions We Must Ask

Next week, another critical vulnerability will be discovered. Another emergency patch will be rushed out. Another post-mortem will be written. But the fundamental problem will remain: we’re trusting single entities with absolute authority over our most critical systems.

Consider the numbers: despite over $300 billion spent on cybersecurity annually, breaches caused over $10 trillion in damage last year. Things are only getting worse. This isn’t a failure of execution, it’s a failure of architecture.

How many undiscovered Actor token-equivalent vulnerabilities exist right now? How many have been found by adversaries who are silently exploiting them? How long can we pretend that “trust Microsoft” or “trust Google” or “trust any single vendor” is an acceptable security strategy?

The answer is clear: we can’t. Not anymore.

The Future Is Authorityless

The Actor token vulnerability isn’t just another security incident. It’s more proof that our entire approach to security is fundamentally flawed. As long as ultimate authority exists in any single place, that place will be compromised.

The future belongs to systems where authority doesn’t exist in any single place. Where cryptographic proofs replace blind trust. Where mathematical guarantees supersede vendor promises. Where the inevitable breach doesn’t mean inevitable catastrophe.

This isn’t about replacing one vendor with another. It’s about eliminating the need for vendors to hold any authority at all, replacing it with distributed, verifiable, mathematically-guaranteed security.

Microsoft has fixed this particular vulnerability. But the architecture that made it possible, the existence of centralized, god-like authority, remains. And it will remain until we collectively decide that trusting any single entity with everything is no longer acceptable.

The question isn’t whether another Actor token-level vulnerability exists. It’s when it will be discovered, and by whom.

Isn’t it time we stopped gambling with that question?

The authorityless architecture described in this piece is not theoretical. Advances in distributed cryptography now make it practical, economical, and verifiable at scale. At Tide Foundation, our peer reviewed research in ineffable cryptography and the development of platforms like TideCloak show how identity and access can be managed without trusting ultimate authority to any vendor, administrator, or insider. The goal is not for customers to “trust Tide,” but to remove the need for trust in any single entity at all.

Learn more at tide.org